Back-and-front scans of more than 54,000 NSW driver licences have been found on Amazon’s cloud service in what is being described as a “dangerous” data breach.
The images were found by Ukrainian security consultant Bob Diachenko.
“More than 50K scanned driver licenses (front+back) and toll notices exposed in a misconfigured S3 bucket,” Diachenko tweeted last week.
“Most likely - part of NSW RMS infrastructure (Road and Maritime, New South Wales, Australia). Secured now. No official response though.”
The server has since been secured by the Australian Cyber Security Centre, according to Security Boulevard.
The breach has raised concerns around the potential for identify fraud using the compromised licences, prompting Diachenko to describe the breach to ABC News as a “dangerous exposure”.
Who’s to blame?
On Tuesday, NSW Labor demanded the State Government notify the 54,000 drivers about the breach.
“There is no mandatory notification requirement for data breaches in NSW. That’s not good enough,” said Shadow Minister for Better Public Services, Sophie Cotsis.
“Any drivers whose licence details have been exposed deserve to know what happened.”
However, Transport for NSW – and the wider state government – has denied any wrongdoing in the matter.
“Initial information indicates the exposed AWS S3 bucket is not related to Transport for NSW or any government system,” Transport for NSW told Security Boulevard.
“While it is always important for licence holders to be privacy-aware when providing their sensitive personal information to other parties, Transport for NSW recognises that some third parties routinely request driver licence information as part of their business practices.”
The Upper House Premier and Finance Committee is currently conducting an inquiry into the number of cyber security incidents and data breaches involving NSW Government agencies.
On Wednesday afternoon, Cyber Security NSW confirmed the government’s denials.
“The data referred to in media coverage has been exposed via a commercial entity and is understood to include scanned copies of driver licences collected directly by the commercial entity from its customers,” Cyber Security NSW Chief Cyber Security Officer Tony Chapman said.
“The information was not provided by, nor sourced from NSW Government agencies. We do not know how long this commercial entity had this data open for and we do not know whether anybody other than the security researcher quoted in media coverage has accessed the information.”
Chapman said Cyber Security NSW was still awaiting confirmation from Amazon Web Services of the identity of the commercial entity, although ABC News is reporting Amazon is refusing to disclose the identity.
Once the business is identified, it will have to notify the customers affected by the breach under the Office of the Australian Information Commissioner’s (OAIC) mandatory reporting requirements, which have been in place since 2017.
The OAIC received 518 notifiable data breach reports in the first six months of 2020, down from 532 during the second half of 2019.
More details emerge
While much is still unknown about the breach, more details have since emerged regarding how these licences were compromised.
According to ABC News, the licences were made public as a result of the commercial entity misconfiguring its default privacy settings on AWS.
“Cyber Security NSW will continue to work with other organisations to seek more information about the commercial entity involved and encourage them to reach out to their customers if their information has been breached,” said Chapman.